Why does authorization not use AzMan?

Topics: Architecture, Security, Users and roles
Jul 4, 2008 at 4:54 AM
I'm interested to find out why the developers choose to use ADAM/AD to store the Users, Roles and the relationship between them but to put the Actions and the association between Actions and Roles in the database 'TenantMetadataStore'.

It seems the AzMan library provides authorization by storing users, roles and actions (called operations) also in ADAM/AD.

Why was the current design chosen instead of either
- store Users, Roles and Actions in ADAM and manage the Actions using the same API currently used for users and roles
- use AzMan to manage ADAM  containing Users, Roles, Actions.

Thanks
Kim

BTW: great example code, but where are your code comments ;)
Jul 15, 2008 at 6:42 PM

Our goal was to demonstrate Claim based security (authorization to be more explicit). In this context, "actions" is just one type of claim, but Litware infrastructure is more generic, so you we could expand it to use other claim types (e.g. "Gold Package", "Silver Pacakage"). This enables federation between two organizations, with all the good things about that.

Actions (which translate to the operations in LWHR or res#op claim type in Bizatlk Identity Services) are just convenient of course, because the ServiceAuthzManager is straight forward.

I guess, we could have used the same store, but I guess it was just simpler to do this. 

Frankly, in retrospective, I would probably mock out all the identity store using an in-memory implementation (just one less dependency to worry about, as demonstrated in other threads of this forum)

  


kim777 wrote:
I'm interested to find out why the developers choose to use ADAM/AD to store the Users, Roles and the relationship between them but to put the Actions and the association between Actions and Roles in the database 'TenantMetadataStore'.

It seems the AzMan library provides authorization by storing users, roles and actions (called operations) also in ADAM/AD.

Why was the current design chosen instead of either
- store Users, Roles and Actions in ADAM and manage the Actions using the same API currently used for users and roles
- use AzMan to manage ADAM  containing Users, Roles, Actions.

Thanks
Kim

BTW: great example code, but where are your code comments ;)


Jul 25, 2008 at 9:35 PM
Yes, it certainly seems better not to introduce depencencies anywhere in the application (other than .Net!), because dependencies will generally not be universally used across the user base.  ADAM immediately presented me with issues, because my operating system did not appear to have it!  Also, dependencies may severely limit configuration/re-configuration options.  Dependencies may also present commercial issues to ISV's who might be interested in selling the multi-tenanted application package/business as part of the exit strategy.  I would rather that everything be developed from scratch, (whether by the Litware team, or by me) or not at all.  Maybe this could become part of the design/coding standards for Litware?